Supply chain data security: The safety standards need an upgrade!


Don’t make it easy for cyber criminals

Everyone knows: ‘a loaded-truck at rest is a truck at risk’. Criminality in the transport and logistic sector is a major problem. The financial consequences in Europe add up to a staggering 8 billion euros every year. And that is only the money involved. Transport criminality also slows down the supply chain, makes it less flexible and less transparent. So it is time to ring the alarm bell. And no, we are not discussing more padlocks. Good safety measures also needs a protocol for better cyber security!

Shippers, transporters and drivers cannot insure themselves against losses as a result of criminal activities when they have not taken all necessary precautions. Failing there, can lead to a grinding halt of all the activities of a company or even a sudden bankruptcy. Logistic service providers can give proof that they have done everything within their capabilities to prevent criminal activity by implementing safety standards as for instance provided by the Transported Asset Protection Association (TAPA). A company can certify these TAPA-norms and thus give evidence that they are operating along these protocols. For their liability it means that they are less vulnerable and it opens up the possibility to insure their logistic activities against transport criminality.

Your valuable data

That sounds fair and safe. The only problem is that the TAPA-norms only apply to the physical aspects like facility security requirements, trucking security requirements and parking security requirements. But so far there seems to be no standard for cyber criminality in logistics! Even worse, I almost never read any real cyber security demands in logistical contracts. Even in the AEO of the custom authorities the issue seems to be only a general data protection side kick at best. That is a very disturbing conclusion because cyber criminality is the fastest growing field of operation for organized crime. And I do not have your valuable data in mind only. What protection gives your iron gate when every third degree hacker can pick its electronic lock from any laptop available?  

You think this farfetched? Believe me, it is not. Cyber criminality is common practice. Especially now with the exponential growth of data connectivity and the also fast growing but commonly poorly secured internet of things that might include that solid looking gate of yours. Your client data are on far more IT-systems then you think. It is an illusion and quite old school to think that your vital software and data is only accessible on premise. And the number of connections with IoT, API based solutions, smartphones, eCMR or and your old EDI keeps growing every day. You are in the cloud and in your data supply chain. Whether you like it or not.

Cyber criminals know that to!

They only need to hone their common days tactics to stay on top of their business. And where your prime business is to transport, theirs is to hack, listen in on data and intercept information between two parties (The man in the middle). Not to mention identity fraud and social engineering. And if this might raise your eyebrows if your security like your CCTV-systems and electronic locks may be at risk, think a step further. How sure are you for instance, that the expensive GPS-systems you recently installed on your vehicles shows you that your trucks really are on their way to their given destinations? And suppose that in the future your vehicles are operating independently without a driver? What guarantee do you have that its really you who is in control and that not some crook took over?


Of course your IT-people installed a firewall and yes there are safety and compliant standards for (electronic) hardware. But how up to date is your inventory on your biggest cyber risks? And do you know how strictly your (logistic) partners and their IT-suppliers in the overall supply chain practice their cyber risk management?

You can find big help in the certifiable ISO-norm 27001….27005. That way you declare that this subject has the full attention and the concern of the management. Also following the guideline of the National Cyber Security Centre is a good step forward and you might even complete this with responsible disclosure for ethical hackers. Are you already using these standards as an obligation in the contract with all your service providers?

As a new chapter in the TAPA-norms I would advocate to install cyber security norms for the complete supply chain to make contracting easier. In the meantime I strongly advise you to appoint a board member with the responsibility of (supply chain) data security and start to have your cyber security internally checked including the contracts with your service providers. A good but often confronting starting point is to ask an ethical hacker to find out how much of your supposed to be internally save data he can collect or even change without your management having the faintest clue? I bet you will be flabbergasted! And please, do let me know. I really do look forward to your feedback

Rene Bruijne